Policy for Spreadsheet controls 1594

  • Hi,
    I am trying to implement Spreadsheet controls in my organisation. Is there any off-the shelf policy document that can be used to lay down guidelines on Spreadsheet / End User Computing controls?
    Also need guidance on what are the practical approaches adopted by organisations to implement spreadsheet controls since I find there are hardly any buyers for implementation of spreadsheet controls. (Most times I hear it is not practical to implement controls such as Passwords / restricted access / version controls).
    I will appreciate any help that I get in resolving this.

  • Hi Venkat and welcome 🙂
    As some smaller applications may be non-automated and the financials tracked via spreadsheets, SOX requires more of a rigid change management approach than specific designs for the spreadsheets themselves.
    The overall goal is to prevent someone from accidently or intentionally altering information. There are change management and version tracking software available (or you can also track this manually - although it may require more work). A good change management approach includes: version control, security controls, autonomy levels, and a standardized change management process.
    For example, you might work on next quarter’s financials in a test mode and in a test directory on the network. Once it’s finished and ready for publication you would ask your manager or better yet someone from another area (i.e., separation of duties) to promote this to production on a special server share directory.
    Finally, external audit will most likely want these controls documented and periodically tested for SOX compliancy. More information can be found related to that in the threads below. Good luck to you 🙂
    Below are additional threads discussing SOX related spreadsheet controls.

  • Hi,
    Thanks for the prompt response. I think I am going to leverage off the general consensus arrived in the discussion forum and formulate a policy for the organisation with respect to maintaining controls over spreadsheets.

  • As I’m coming down the home stretch of managing a project to implement controls for spreadsheets at a major financial institution, I can tell you that policy alone will not remediate your issues.
    We used information from our last SOX testing, the infamous PwC white paper on spreadsheets and reviews with internal and external auditors to determine a specific number of ‘control objectives’ - when we reviewed and determined which of the controls could be met by technology, policy, standards or procedures - there wasn’t a single control that was met by policy alone. It is really a combination of all four or in some cases all but tech.
    Hope this helps.

  • I agree with buppy that your policy has to complemented with technology safeguards so that it’s enforceable in order to be effective. I’ve used the expression in the past that ‘policies have to have teeth’ or folks will revert back to their old ways.
    As Vencat shares, policies are a good place to start the process. Once you figure out what needs to be controlled at a high level, you can then design more detailed standards and procedures to meet this objective.
    Then technological controls can be used so that security or automated change control software can ensure there are no loopholes in the process.
    Working closely with internal or external auditors can help as well, to ensure you’re on the right footing.

  • The other thing I forgot to mention is that we did use COTS - PwC had a list of about seven vendors that they narrowed down to two. Prodiance and Cimcon. If you are looking for software to help remediate (along with Policy and Procedures) I would strongly recommend looking at both vendors

  • Microsoft has a whitepaper that might be useful:
    Spreadsheet Compliance in the 2007 Microsoft Office System
    The whitepaper can be found on microsoft.com and searching on the report title.

Log in to reply